WiredTree, a Chicago-based managed web hosting provider delivering dedicated servers and VPS hosting solutions, has warned users of the popular Joomla! content management system (CMS) that they should upgrade or patch their installation immediately. The warning is motivated by a serious remote code execution vulnerability, widely publicized in Ars Technica recently, that is being actively exploited by malefactors, with a high likelihood of unpatched sites being targeted.
The vulnerability would affect all versions of Joomla! prior to version 3.4.6. Users running the recent 3.X branch of Joomla! should upgrade to version 3.4.6. Users of the end-of-life 1.5.X and 2.5.x versions can apply hot-fixes made available by Joomla!’s developers, and should ideally update to actively maintained versions of the CMS as soon as possible.
Joomla!, while not as popular as WordPress, has a large user base, particularly in the enterprise and among large-scale publishers. According to WiredTree, Joomla! should not be singled out as insecure – such vulnerabilities have been found in all major content management systems over the years – but it is important to make users of Joomla! aware that they must update as soon as possible.
“As a managed web hosting company, we support a great many clients that use Joomla! because it’s an excellent content management system,” says Zac Cogswell, President of WiredTree. “But we feel that because the vulnerability is widespread and is being actively exploited, it’s important to get the news out to as many Joomla! users as we can – update your website immediately!”
The vulnerability would be a result of the way Joomla! handles session data, essentially allowing a malicious users to leverage HTTP user-agent headers to insert arbitrary data into the site’s database. From that point, it’s relatively straightforward to have arbitrary code executed by the content management system, according to WiredTree.